Risk-based approach 

An information security risk assessment carried out on assets listed in an inventory was already required by BS 7799-2, the predecessor of the ISO standards. The previous version of ISO 27001 (issued in 2005) necessitated an assessment on assets and an asset inventory was mentioned in Annex A, but there was no explicit relationship between the two. It also expected the identification of threats and vulnerabilities as part of the risk assessment. Now all these are gone. In the current version of ISO 27001 (issued in 2013), the risk assessment requirements do not even mention the assets, although there is still an asset inventory requirement as a control. Annex A controls do not prescribe risk assessment on the assets drawn up in the inventory, yet there is a requirement to define rules on acceptable use. And what should these rules be based on if not risk assessment?

Flexibility vs. unambiguity 

There is a tendency in the latest issues of management system standards for requirements to be more general, allowing more implementation flexibility. This comes from the unified standard core text of management system standards, yet unfortunately this allows for more debate on the interpretation of standard requirements between the organization and an auditor.

A granular approach 

It is simply impossible to include all known risks into an information security risk assessment. Don’t forget, that you not only have to create, but also maintain the assessment. Include only risks that are considered relevant – close to or above the acceptable level (always consider existing controls when estimating risk levels). Assessments tend to be large anyway, therefore, it is possible to apply different risk assessment and management methods for different groups of assets. For processes, either business or operational, a general assessment may be enough, but in relation to critical assets a detailed risk assessment and inventory are typically needed.

information security risk assessment image

Documentation references

All ISO management system standards now promote a risk-based approach. The normative text of the management system standards is talking about risk-based thinking, but there is no requirement on a risk assessment. The ISO 27001 standard however requires controls deemed to be necessary by the organization be based on a formal risk assessment. There is however no explicit requirement to create direct relationship between procedures and the assessment. But still, it is a good idea. If you include (at least) one Annex A reference to each and every relevant risk, you have the basic information to create a key document of an ISO ISMS, the Statement of Applicability. This way you also have a proof in your hands that you have fulfilled the requirement to compare your controls with those in Annex A to verify that no necessary controls have been omitted.

What to expect

Only assessments that are supported by a risk database may reveal new risks, which were not known to the organization. Although the term systematic was proscribed to the vocabulary standard (ISO 27000), risk assessment is still a great tool to compile known risks relevant to the organization, classify them and make decision on additional controls.

There is no such thing as zero risk, yet the probabilities and effects of incidents can be reduced by additional controls. The utmost advantage of an information security risk assessment is that you can concentrate your security spendings on the greatest risks.